# XML External Entity (XXE) via lxml etree.parse() with external entity resolution

Language: Python
Severity: Critical
CWE: CWE-611

## Source
3

## Flow
3-5-6-7

## Sink
7

## Vulnerable Code
```python
from lxml import etree
import io

def process_iot_device_config(xml_payload):
    parser = etree.XMLParser(resolve_entities=True, no_network=False)
    config_stream = io.BytesIO(xml_payload.encode('utf-8'))
    device_tree = etree.parse(config_stream, parser)
    root = device_tree.getroot()
    device_id = root.find('.//DeviceID').text
    firmware_url = root.find('.//FirmwareURL').text
    telemetry_interval = root.find('.//TelemetryInterval').text
    return {'device_id': device_id, 'firmware_url': firmware_url, 'interval': telemetry_interval}
```

## Explanation

The function accepts untrusted XML payload from IoT devices and parses it with resolve_entities=True and no_network=False enabled, allowing XML External Entity (XXE) attacks. An attacker can inject malicious XML with external entity declarations to read local files, perform SSRF attacks, or cause denial of service.

## Remediation

The fix disables external entity resolution by setting resolve_entities=False and blocks network access with no_network=True. Additionally, DTD loading and validation are explicitly disabled (dtd_validation=False, load_dtd=False) to prevent any DTD-based attacks including entity expansion and external entity injection.

## Secure Code
```python
from lxml import etree
import io

def process_iot_device_config(xml_payload):
    parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)
    config_stream = io.BytesIO(xml_payload.encode('utf-8'))
    device_tree = etree.parse(config_stream, parser)
    root = device_tree.getroot()
    device_id = root.find('.//DeviceID').text
    firmware_url = root.find('.//FirmwareURL').text
    telemetry_interval = root.find('.//TelemetryInterval').text
    return {'device_id': device_id, 'firmware_url': firmware_url, 'interval': telemetry_interval}
```
